HHS Continues Focused Oversight of Healthcare Providers on Emergency Preparedness Issues: Cybersecurity Included As a Risk Factor
On September 13, 2016, the U.S. Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS) released a Final Rule, set for publication on September 16, 2017, entitled "Medicare and Medicaid Programs: Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers." The Final Rule "establishes national emergency preparedness requirements for Medicare- and Medicaid-participating providers and suppliers" and focuses on the need for greater preparedness for both natural and man-made disasters. The Rule takes an "all-hazards" approach when looking at man-made and natural disasters. An all-hazards approach focuses on hazards most likely to occur in the entity's location. This approach rolls cybersecurity risks into more traditional ones that include events such as hurricanes, power failures, and communication interruptions, as well as outbreaks of new and emerging diseases.
The final rule states that "many providers and suppliers have emergency preparedness requirements, but those requirements do not go far enough in ensuring that these providers and suppliers are equipped and prepared to help protect those they serve during emergencies and disasters." The Final Rule focuses on three main areas: 1) safeguarding human resources; 2) maintaining business continuity; and 3) protecting physical resources. In many ways, this approach tracks what other agencies and sectors are looking at when it comes to emergency preparedness and an "all hazards" approach by requiring consideration of cybersecurity attacks on the industry , which are increasing at an exponential level.
However, the health sector has come under increasing scrutiny by HHS and lawmakers in the last year on cybersecurity risks with Congress mandating the creation of a Health Care Industry Cybersecurity Task Force in the Cybersecurity Information Sharing Act of 2015 (CISA.) As part of the ongoing efforts of the Task Force, it is seeking ways to identify and address gaps in cybersecurity practices for the health care sector, medical devices, electronic health records and many other aspects of the system. CISA called for HHS to work closely with the U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) to create new voluntary, consensus-based guidelines to help the health care sector better address cybersecurity risks.
In the last few months, HHS Office of Civil Rights (OCR) has also reiterated publicly that "[t]he need for health care organizations to up their game on health data security has never been greater." The HIPAA Security Rule already requires covered entities to develop disaster recovery and emergency mode operation plans, as well as to conduct accurate and thorough risk analyses. The HHS Final Rule on emergency preparedness further emphasizes the need for hospitals, ambulatory surgical centers, hospices, Long Term Care (LTC) facilities and certain other members of the health care sector to consider and protect against cybersecurity threats.